SSLClient::SSLClient(int sock, SSLClient::ERole role, const SSLConfig &ctx)
throw(SocketConnectionClosed, SSLError)
: SSLSocket(ctx), TCPSocket::TCPSocket(sock)
{
m_SSL = SSL_new(m_CTX);
SSL_set_mode(m_SSL, SSL_MODE_AUTO_RETRY);
m_BIO = BIO_new_socket(GetSocket(), BIO_NOCLOSE);
SSL_set_bio(m_SSL, m_BIO, m_BIO);
switch(role)
{
case SSLClient::CLIENT:
if(SSL_connect(m_SSL) < 0)
throw SSLError("Connect error");
break;
case SSLClient::SERVER_FORCE_CERT:
SSL_set_verify(m_SSL,
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
0);
case SSLClient::SERVER:
{
if(SSL_accept(m_SSL) < 0)
throw SSLError("Accept error");
}
break;
}
}
int SslOcspStapling::certVerify(OCSP_RESPONSE *pResponse,
OCSP_BASICRESP *pBasicResp, X509_STORE *pXstore)
{
int n, iResult = -1;
STACK_OF(X509) *pXchain;
ASN1_GENERALIZEDTIME *pThisupdate, *pNextupdate;
struct stat st;
pXchain = m_pCtx->extra_certs;
if (OCSP_basic_verify(pBasicResp, pXchain, pXstore, OCSP_NOVERIFY) == 1)
{
if ((m_pCertId != NULL)
&& (OCSP_resp_find_status(pBasicResp, m_pCertId, &n,
NULL, NULL, &pThisupdate, &pNextupdate) == 1)
&& (n == V_OCSP_CERTSTATUS_GOOD)
&& (OCSP_check_validity(pThisupdate, pNextupdate, 300, -1) == 1))
{
iResult = 0;
updateRespData(pResponse);
unlink(m_sRespfile.c_str());
rename(m_sRespfileTmp.c_str(), m_sRespfile.c_str());
if (::stat(m_sRespfile.c_str(), &st) == 0)
m_RespTime = st.st_mtime;
}
}
if (iResult)
{
setLastErrMsg("%s", SSLError().what());
ERR_clear_error();
if (m_pHttpFetch)
m_pHttpFetch->writeLog(s_ErrMsg.c_str());
}
return iResult;
}
int SecureSocketImpl::Connect(const char *host, unsigned short port)
{
int ret = PlainSocketImpl::Connect(host, port);
if (ret != 0)
return ret;
m_pimpl->ssl = SSL_new(s_sslContext);
if (m_pimpl->ssl == 0)
throw SSLError("Could not initialize socket SSL context");
SSL_set_fd(m_pimpl->ssl, static_cast<int>(GetDescriptor()));
ret = SSL_connect(m_pimpl->ssl);
if (ret < 1)
throw SSLError("Could not establish a secure connection");
return 0;
}
TCPSocket *SSLClient::shutdownSSL(SSLClient *c) throw(SocketConnectionClosed)
{
switch(SSL_shutdown(c->m_SSL)) // Sends a shutdown notice
{
case 0:
if(SSL_shutdown(c->m_SSL) != 1) // Waits for the answer
throw SSLError("The peer didn't answer our \"close notify\"");
break;
case 1: // Ok
break;
default:
throw SSLError("SSL_shutdown returned -1");
break;
}
return new TCPSocket(Socket::Unlock(c));
}
void SSLSocket::Init() throw(SSLError)
{
bool bInit = false;
if(!bInit)
{
if(!SSL_library_init())
throw SSLError("Couldn't initialize OpenSSL");
SSL_load_error_strings();
bInit = true;
}
}
SecureSocketImpl::SecureSocketImpl(const AbortIndicator & abortIndicator)
: PlainSocketImpl(abortIndicator)
, m_pimpl(new Impl)
{
m_pimpl->ssl = 0;
Util::ScopedLock lock(s_cs);
if (s_sslRefs == 0) {
s_sslContext = SSL_CTX_new(SSLv23_client_method());
if (s_sslContext == 0)
throw SSLError("Could not initialize SSL context");
}
s_sslRefs++;
}
SSLSocket::SSLSocket(const SSLConfig &ctx) throw(SSLError)
{
m_CTX = SSL_CTX_new(SSLv23_method());
if(m_CTX == NULL)
throw SSLError("Can't create a SSL_CTX object");
if(ctx.m_sCertChainFile != "")
{
if(!SSL_CTX_use_certificate_chain_file(m_CTX,
ctx.m_sCertChainFile.c_str()))
throw SSLError("Can't read trusted certificate file");
}
if(ctx.m_bAskForPasswd)
SSL_CTX_set_default_passwd_cb(m_CTX, password_ask_cb);
else if(ctx.m_sPasswd != "")
{
SSL_CTX_set_default_passwd_cb_userdata(m_CTX, (void*)&ctx.m_sPasswd);
SSL_CTX_set_default_passwd_cb(m_CTX, password_cb);
}
if(ctx.m_sCertChainFile != "")
{
if(!SSL_CTX_use_PrivateKey_file(m_CTX, ctx.m_sCertChainFile.c_str(),
SSL_FILETYPE_PEM))
throw SSLError("Can't read trusted certificate file");
}
if(ctx.m_sCAList != "")
{
if(!SSL_CTX_load_verify_locations(m_CTX, ctx.m_sCAList.c_str(), 0))
throw SSLError("Can't read CA list");
#if OPENSSL_VERSION_NUMBER < 0x00905100L
SSL_CTX_set_verify_depth(m_CTX, 1);
#endif
}
if(ctx.m_sCipherList != "")
SSL_CTX_set_cipher_list(m_CTX, ctx.m_sCipherList.c_str());
if(ctx.m_sCertificateFile != "")
{
if(!SSL_CTX_use_certificate_file(m_CTX, ctx.m_sCertificateFile.c_str(),
SSL_FILETYPE_PEM))
throw SSLError("Can't read own certificate file");
}
if(ctx.m_sPrivatekeyFile != "")
{
int type;
switch(ctx.m_ePrivatekeyType)
{
case SSLSocket::PEM:
type = SSL_FILETYPE_PEM;
break;
case SSLSocket::ASN1:
type = SSL_FILETYPE_ASN1;
break;
}
if(!SSL_CTX_use_PrivateKey_file(m_CTX, ctx.m_sPrivatekeyFile.c_str(),
SSL_FILETYPE_PEM))
throw SSLError("Can't load private key file");
}
}
void SSL_ciphernames(MCExecPoint &ep)
{
#ifdef MCSSL
// MW-2004-12-29: Integrate Tuviah's fixes
static char sslcipherlist[] = "bf,128\nbf-cbc,128\nbf-cfb,128\nbf-ecb,128\nbf-ofb,128\nblowfish,128\ncast,128\ncast-cbc,128\ncast5-cbc,128\ncast5-cfb,128\ncast5-ecb,128\ncast5-ofb,128\ndes,64\ndes-cbc,64\ndes-cfb,64\ndes-ecb,64\ndes-ede,128\ndes-ede-cbc,128\ndes-ede-cfb,128\ndes-ede-ofb,128\ndes-ede3,192\ndes-ede3-cbc,192\ndes-ede3-cfb,192\ndes-ede3-ofb,192\ndes-ofb,64\ndes3,192\ndesx,192\ndesx-cbc,192\nrc2,128\nrc2-40-cbc,40\nrc2-64-cbc,64\nrc2-cbc,128\nrc2-cfb,128\nrc2-ecb,128\nrc2-ofb,128\nrc4,128\nrc4-40,40\nrc5,128\nrc5-cbc,128\nrc5-cfb,128\nrc5-ecb,128\nrc5-ofb,128";
isfirstcipher = True;
ep.clear();
if (!InitSSLCrypt())
{
char sslerrbuf[256];
SSLError(sslerrbuf);
MCresult->copysvalue(sslerrbuf);
}
else
OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH, list_ciphers_cb, &ep);
#else
// MW-2013-01-15: [[ Bug 10631 ]] Make sure we clear the return value if no
// SSL!
ep . clear();
#endif
}
